Update README with new GRC milestones and events

README.md

@@ -64,13 +64,20 @@ A history of governance, risk, and compliance milestones — from the first fede
 | 2004 | 2004 | OCEG Red Book published | Analysts · OCEG | OCEG published the first GRC Capability Model — the "Red Book." | Established the first formal GRC capability model, the reference architecture later GRC tooling was built around. | https://www.oceg.org/20-years/ |
 | Oct 2005 | October 14, 2005 | ISO 27001 | Governments · ISO/IEC | International standard for information security management systems, evolving from BS 7799. | Became the de facto global ISMS certification. | https://www.iso.org/standard/42103.html |
 | Jun 2011 | June 15, 2011 | SSAE 16 & SOC | Auditors · AICPA | AICPA replaced SAS 70 with SSAE 16, introducing SOC 1, SOC 2, and SOC 3 reports. | SOC 2 became the dominant trust signal for SaaS vendors. | https://egrove.olemiss.edu/aicpa_prof/472/ |
+| Sep 2011 | September 2011 | NIST SP 800-137 (ISCM) | Governments · NIST | "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations" — the first formal continuous-monitoring strategy for federal agencies. | Codified the pivot from periodic audits to continuous monitoring — the conceptual seed for real-time compliance. | https://csrc.nist.gov/pubs/sp/800/137/final |
+| 2012 | 2012 | CDM Program launched | Governments · DHS/CISA | The Department of Homeland Security launched the Continuous Diagnostics and Mitigation (CDM) program to provide federal civilian agencies with tools for ongoing asset, identity, network, and data monitoring. | First large-scale operationalization of continuous monitoring across the federal enterprise. | https://www.cisa.gov/topics/cybersecurity-best-practices/continuous-diagnostics-and-mitigation-cdm-program |
 | Feb 2014 | February 12, 2014 | NIST CSF | Governments · NIST | Cybersecurity Framework v1.0 — voluntary risk-based framework with Identify / Protect / Detect / Respond / Recover functions. | Most widely adopted cybersecurity framework outside of regulated sectors. | https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02122014.pdf |
 | May 2016 | May 24, 2016 | GDPR | Governments · EU | General Data Protection Regulation (Regulation (EU) 2016/679) — comprehensive EU privacy law with global extraterritorial reach; entered into force 24 May 2016 (applied from 25 May 2018). | Reset the bar for privacy controls and triggered a wave of similar legislation worldwide. | https://eur-lex.europa.eu/eli/reg/2016/679/oj |
 | 2021 | June 1, 2021 | Netflix hires first GRC Engineer | Engineers · Netflix | Netflix posted some of the first job descriptions explicitly titled "GRC Engineer," applying engineering practices to compliance. | Marked the emergence of GRC as an engineering discipline rather than a purely auditor-driven function. | https://www.radicalcompliance.com/2021/06/18/compliance-jobs-report-june-18/ |
+| Jun 2021 | June 7, 2021 | OSCAL 1.0.0 | Governments · NIST | NIST released OSCAL 1.0.0 — the Open Security Controls Assessment Language — with the SP 800-53 Rev. 5 catalog available in machine-readable JSON, XML, and YAML. | First major US federal control catalog shipped natively as machine-readable data — the foundation for compliance-as-code. | https://pages.nist.gov/OSCAL/about/releases/ |
 | Jan 2023 | January 16, 2023 | DORA | Governments · EU | Regulation (EU) 2022/2554 — the Digital Operational Resilience Act, harmonizing ICT risk, resilience testing, and third-party oversight for EU financial entities; entered into force 16 January 2023. | Made operational-resilience controls and continuous testing a regulatory requirement in finance. | https://eur-lex.europa.eu/eli/reg/2022/2554/oj |
 | Jan 2023 | January 16, 2023 | NIS2 Directive | Governments · EU | Directive (EU) 2022/2555 — expanded EU cybersecurity risk-management and incident-reporting obligations across critical and important sectors; entered into force 16 January 2023. | Broadened mandatory security controls and board accountability across the EU economy. | https://eur-lex.europa.eu/eli/dir/2022/2555/oj |
 | Nov 2023 | November 23, 2023 | GRC Engineering Podcast launches | Engineer · Community | Ayoub Fandi launches the first podcast dedicated to GRC Engineering with episode S1E1 — "The Who, the Why and the What." | First sustained public conversation series for the discipline; grew the community beyond conference talks. | https://www.youtube.com/watch?v=vupO7TxBWpM |
-| Jul 2024 | July 15, 2024 | GRC Engineering Manifesto published | Engineer · Community | A community-authored manifesto codifying the principles of GRC Engineering at grc.engineering. | Crystallized the discipline's values — engineering practices, automation, design thinking — into a shared artifact. | https://grc.engineering/ |
+| Feb 2024 | February 26, 2024 | NIST CSF 2.0 | Governments · NIST | Cybersecurity Framework 2.0 — added the GOVERN function and expanded scope from critical infrastructure to all organizations. | First major CSF update in a decade; institutionalized governance as a peer function alongside Identify / Protect / Detect / Respond / Recover. | https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf |
+| Jul 2024 | July 15, 2024 | GRC Engineering Manifesto published | Engineer · Community | A community-authored manifesto codifying the principles of GRC Engineering at grc.engineering. | Crystallized the discipline's values — engineering practices, automation, design thinking — into a shared artifact. | https://grc.engineering/ |
+| Jul 2024 | July 25, 2024 | OMB M-24-15 (FedRAMP modernization) | Governments · OMB | "Modernizing the Federal Risk and Authorization Management Program (FedRAMP)" — directed FedRAMP toward automation, continuous monitoring, and machine-readable artifacts. | Federal commitment to compliance-as-code at scale; turned the FedRAMP authorization pipeline into a GRC Engineering exemplar. | https://www.whitehouse.gov/wp-content/uploads/2024/07/M-24-15-Modernizing-the-Federal-Risk-and-Authorization-Management-Program-FedRAMP.pdf |
+| Mar 2025 | March 24, 2025 | FedRAMP 20x | Governments · FedRAMP PMO | FedRAMP announced "20x" — a ground-up rebuild of the authorization process around continuous monitoring, automation, and machine-readable evidence, implementing OMB M-24-15. | The most concrete federal example of GRC Engineering principles applied to a major compliance regime. | https://www.fedramp.gov/2025-03-24-Introducing-FedRAMP-20x/ |
+| Jun 2025 | June 2025 | GAO-25-107470 (CDM retrospective) | Governments · GAO | "Cybersecurity: Network Monitoring Program Needs Further Guidance and Actions" — found CDM meeting only 2 of 4 capability goals after 13 years. | 13-year retrospective showing the limits of mandate-driven, agency-by-agency rollouts; case study for why platform-thinking matters. | https://www.gao.gov/products/gao-25-107470 |
 
 ---